BGP AS Path Filter Example

(Mikhail N) #21

Hi Rene,

Will BGP AS Path Filter work if I have only one IP transit provider (default) and this provider doesn’t support any BGP communities? I want to announce my routes only to few my providers upstreams and to stop incoming traffic from others.

(Rene Molenaar) #22

Hi Mikhail,

The AS path will always be in your BGP updates so yes, you don’t need communities for that.


(Chris N) #23

Is there a show command for as-paths access-lists, or do you need to filter it out of the running config?

(Lazaros Agapides) #24

Hello Chris

The command show ip as-path access-list displays information about IP AS path access lists.

I hope this has been helpful!


(RAWAZ K) #25


please If I have below configuration , what does it do?

route-map CC-IN, deny, sequence 2
  Match clauses:
    as-path (as-path filter): 15 
  Set clauses:
  Policy routing matches: 0 packets, 0 bytes

show ip as-path-access-list 15
AS path access list 15
     permit ^39216$

  neighbor route-map CC-IN in

thanks for your support.

(Rene Molenaar) #26

Hi Rawaz,

The first statement (sequence 2) denies everything in AS-path 15.

AS path access-list 15 matches only on AS number 39216, nothing else.

Your route-map, however, doesn’t have any permit statements, so because of the implicit (invisible) deny any, everything will be denied.

If your goal is to deny only whatever you have in AS path access-list 15, add an additional sequence number in your route-map. Something like:

route-map CC-IN permit 10

The things you then deny in sequence 2 are denied, and everything else will be permitted because of sequence 10 (which is empty which means it matches on everything).

Hope this helps!


(Brian W) #27

Can AS-Path Prepend be used to influence incoming routes, outgoing routes, or both? Thank you

(Lazaros Agapides) #28

Hello Brian

AS-Path Prepend is used to influence incoming traffic. What it does is a router adds its own AS multiple times in the AS path, thus making this path appear longer, and thus less favourable. Like all methods of influencing incoming traffic, it can always be overridden by the routers in other AS’s.

Take a look at the relevant lesson below for more information:

I hope this has been helpful!


(Sahil S) #29

for this issue: Deny prefixes that originated from AS 56203 and permit everything else
why cant we use
ip as-path access-list 1 deny ^56203$ <-- then you are only matching an AS path that only has 56203 in it and nothing else
ip as-path access-list 1 permit .*

Please advise. Thanks

(Sahil S) #30

I think I got it. Cant use ^ coz it means it has to be a directly connect AS or the 1st AS in path.
Am i right ?

(Lazaros Agapides) #31

Hello Sahil

Yes you are correct. When you use the “^” you are indicating that ONLY this AS is being matched. However, using _56203$ you are matching strings that END with 56203 which means that such prefixes ORIGINATED from AS 56203.

I hope this has been helpful!